Douglas Otis wrote:
> While DNSSEC may protect against data corruption,
So does TCP, UDP or SCTP checksum.
A problem is that such protection does not valid over a chain of
certificate authorities or caching servers.
> such protection
> depends upon the thorny problem of verifying a key will be solved in a
> practical and politically acceptable manner.
If the protection by a chain of untrustworthy certificate authorities
of DNSSEC is practically acceptable, a protection by a chain of
untrustworthy caching servers of plain old DNS is also practically
acceptable. Moreover, plain old DNS is already practically accepted.
Though there seems to be some confusion that DNSSEC security were
end to end, below is an excerpt from an authentic document by David
Clark on how PKI, including DNSSEC, involves certificate authorities
of third parties.
http://portal.acm.org/citation.cfm?doid=383034.383037
Public-key certificates
An important role for a third party occurs when public key cryptography
is used for user authentication and protected communication. A user can
create a public key and give it to others, to enable communication with
that user in a protected manner. Transactions based on a wellknown
public key can be rather simple two-party interactions that fit well
within the end to end paradigm. However, there is a key role for a
third party, which is to issue a Public Key Certificate and manage the
stock of such certificates; such parties are called certificate
authorities. The certificate is an assertion by that (presumably
trustworthy) third party that the indicated public key actually goes
with the particular user.
So, though communication between an end user and a certificate
authority can be end to end, the entire system of PKI is not.
Masataka Ohta
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf